Method of secure transmission of digital data from a source to a receiver

ABSTRACT

To transmit digital data representing a content from a source ( 1 ) to a receiver ( 2 ) through a digital communication channel, the data being scrambled by at least one control word (CW), the method includes the following steps. The source generates an encryption key (KCW) which it stores temporarily. It encrypts the control word with the encryption key and transmits to the receiver the scrambled digital data ( 3 ) and the encrypted control word ( 4 ), the latter being transmitted through an encrypted communication channel ( 21 ). The receiver then performs an operation ( 22 ) of authentication of the source. When the source is authenticated by the receiver, it transmits the encryption key (KCW) to it. The receiver then decrypts the control word and descrambles the data so as to present them to a user. The encryption key is then erased from the memories of the source and the receiver when the content has been entirely transmitted.

FIELD OF THE INVENTION

[0001] The present invention relates in a general manner to the field ofcopy protection of digital data. It is more particularly concerned witha method of transmitting digital data representing a content from asource to a receiver, in particular in a digital network, making itpossible to prevent copying of these data, or at the very least,rendering any copy unusable.

BACKGROUND ART

[0002] It is known practice to associate with digital data representinga content, in particular a video or audio sequence, copy controlinformation items commonly denoted CCI (standing for “Copy ControlInformation”) or else CGMS (standing for “Copy Generation ManagementSystem”).

[0003] These information items, which are inserted into the data by thecontent provider, generally define four possible states for the data:

[0004] copying authorized (“copy free”);

[0005] a single generation (or a given number of generations) of copyingauthorized (“copy once” or “copy N times”);

[0006] no more copying authorized (“copy no more”);

[0007] copying never authorized (“copy never”).

[0008] When the data belong to the last two categories, they may not becopied. That is to say they may only be viewed and/or listened to, whendealing with video and/or audio data, for example but they may not berecorded, or if a recording is made illicitly, it must not be possibleto reuse it later.

[0009] A first approach for guaranteeing this result consists in havingany recording apparatus verify the aforesaid control data and, shoulddata whose copying is unauthorized be detected, in disabling therecording.

[0010] However, this type of approach has restrictions since it can onlyoperate with compliant (non “pirated”) recording apparatus.

[0011] Moreover, another method has been proposed in order that, whendata are broadcast in a digital network such as a domestic digitalnetwork, they can only be copied within the network. To do this, thedata which are broadcast in the digital network are scrambled withcontrol words and these control words are encrypted with the aid of keysspecific to the digital network around which the data flow. Thus, ifcopies of these data are made, they can only be played back within thedigital network in which they have been copied. Refer to the FrenchPatent Application of THOMSON multimedia, published as No. FR-A-2 792482, for further details with regard to this matter.

[0012] However, this method does not allow the complete prevention ofcopying. There are in fact cases where content providers desire data tobe broadcast in “live” in a digital network but do not want it to bepossible to make copies in order to replay this content later in thenetwork. A typical example relates to the broadcasting of films bydigital television operators.

SUMMARY OF THE INVENTION

[0013] An aim of the invention is therefore to propose a method makingit possible to broadcast a content, in particular in a digital network,without it being possible to copy it.

[0014] The invention accordingly relates, according to a first aspect,to a method of transmitting digital data representing a content from asource to a receiver through a digital communication channel, thedigital data being scrambled by at least one control word. The methodincludes the following steps implemented by the source.

[0015] The first step consists in generating an ephemeral encryption keystored temporarily by the source.

[0016] The second step consists in encrypting the control word with thisephemeral encryption key.

[0017] The third step consists in transmitting to the receiver:

[0018] the scrambled digital data; and

[0019] the encrypted control word, the latter being transmitted throughan encrypted communication channel between the source and the receiver.

[0020] The fourth step consists in responding to an operation ofauthentication of the source by the receiver and, when the source isauthenticated by the receiver, transmitting the encryption key to thereceiver.

[0021] The fifth step consists in erasing the encryption key.

[0022] According to a particular characteristic of the invention, a newephemeral encryption key is generated randomly by the source for eachcontent transmitted.

[0023] According to a particular embodiment of the invention, aninformation item relating to the period of validity of the digital datato be transmitted is affixed to the data and the fifth step is performedafter the expiry of this period of validity.

[0024] According to another particular embodiment, an information itemindicating the number of times the content can be transmitted to areceiver is affixed to the data. This information item is storedtemporarily by the source in a counter of access to the content and,before the fifth step, the counter of access to the content isdecremented; and a test is performed to verify whether the counter ofaccess to the content is equal to zero. The fifth step is executed onlyin the case of a positive response to the test.

[0025] According to a particular characteristic of the invention, themethod furthermore includes, before or after the first step, a stepconsisting in generating an ephemeral authentication key, theauthentication key being transmitted to the receiver, in the third step,through the encrypted communication channel.

[0026] Preferably, a new ephemeral authentication key is generatedrandomly by the source for each content transmitted.

[0027] According to a particular embodiment of the invention, in thefourth step, the authentication operation comprises the substepsconsisting in receiving a random number from the receiver; performing acalculation on the basis of the random number and of the authenticationkey; and transmitting the result of the calculation to the receiver.

[0028] According to a particular characteristic of this embodiment, theencryption key is transmitted to the receiver with the result of thecalculation in the third subset above.

[0029] According to another particular embodiment of the invention, theencryption key is transmitted to the receiver, in the fourth step,through the encrypted communication channel.

[0030] The invention also relates, according to a second aspect, to amethod of transmitting digital data representing a content from a sourceto a receiver through a digital communication channel, the digital databeing scrambled by at least one control word. The method comprises thefollowing steps implemented by the receiver.

[0031] The first step consists in receiving the scrambled digital data.

[0032] The second step consists in receiving the encrypted control wordencrypted with an encryption key, the encrypted control word beingtransmitted through an encrypted communication channel between thesource and the receiver.

[0033] The third step consists in performing an operation ofauthentication of the source and, when the source is authenticated bythe receiver: receiving and temporarily storing the encryption key;decrypting the control word with the encryption key; descrambling, withthe aid of the decrypted control word, the digital data so as totransform them into a signal able to be presented to a user; and erasingthe encryption key.

[0034] According to a particular embodiment of the invention, anephemeral authentication key is furthermore received in the aforesaidsecond step, the authentication key being transmitted through theencrypted communication channel.

[0035] According to a particular characteristic of this embodiment, theauthentication operation performed in the aforesaid third step comprisesthe subsets consisting: in generating a random number; in sending therandom number to the source; in receiving from the source the result ofa calculation performed on the basis of the random number and of theauthentication key; and in verifying the result of the calculation, onthe basis of the random number generated in the first substep and of theauthentication key received in the second step.

[0036] According to another particular characteristic of thisembodiment, the encryption key is received by the receiver with theresult of the calculation in the third subset above.

[0037] According to another aspect of the invention, copy controlinformation items are fixed to the digital data to be transmitted andthe steps of the methods described above are only implemented when thecopy control information items indicate that the digital data are of“copying unauthorized” type.

[0038] According to yet another aspect of the invention, the methodsdescribed above are implemented in a domestic digital network between adevice for access to a content and a device for presentation of thecontent. The digital communication channel is formed of a digital bus towhich the access device and the presentation device are attached.

[0039] Preferably, steps 1 to 5 of the method according to the firstaspect of the invention are implemented in a removable security moduleattached to the source. Likewise, steps 1 to 3 of the method accordingto the second aspect of the invention are implemented in a removablesecurity module attached to the receiver.

BRIEF DESCRIPTION OF THE DRAWINGS

[0040] The invention will be better understood upon reading thefollowing description of particular, nonlimiting embodiments thereofgiven with reference to the appended drawings, in which:

[0041]FIG. 1 diagrammatically illustrates a first embodiment of theinvention;

[0042]FIG. 2 is a diagram in the form of functional blocks of a domesticdigital network in which the invention is implemented according to asecond embodiment of the invention;

[0043]FIG. 3 diagrammatically illustrates the form of the datarepresenting a digital content in the second embodiment of theinvention; and

[0044]FIG. 4 illustrates the exchanges involved between elements of FIG.2 during the implementation of the second embodiment of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0045]FIG. 1 diagrammatically represents a source 1 capable of sendingdigital data representing a content to a receiver 2. The source 1 is adevice, which receives digital data from a content provider so as totransmit them, through a digital communication channel, to a receiverdevice 2 capable of presenting them to an end user.

[0046] The method of the invention aims to prevent the illicit copyingof data when the latter travel through the digital communication channelbetween the source and receiver. It is aimed more precisely atpreventing, should the data be recorded, the possibility of their being“replayed” by the receiver device so as to be presented to a user.

[0047] More specifically, the source 1 is for example a digital decoderreceiving digital television programs from a broadcaster and thereceiver 2 is a digital television while the communication channel is adomestic digital network.

[0048] The content is transmitted from the source 1 to the receiver 2 inthe form of scrambled data 3 scrambled by a control word commonlydenoted CW. It will be noted that the data are scrambled either at thelevel of the source 1, or by the content provider.

[0049] To guarantee security of transmission and prevent the data frombeing recorded then replayed by the receiver 2, the following measuresare adopted.

[0050] Firstly, the source 1 generates, for each content transmitted, anephemeral encryption key KCW which in the subsequent description will bereferred to as the content key and which is stored temporarily in amemory 7 of the source. This content key KCW is produced by apseudo-random number generator located inside the source 1. Thisgenerator is the closest possible approximation to a truly-random numbergenerator (“True Random Number Generator” as described in “Handbook ofapplied cryptography, Alfred J. Menezes, Paul C. van Oorschot, Scott A.Vanstone, 1997, pages 165-173”) so that the probability of generatingthe same content key value twice is very low.

[0051] In the same manner the source 1 also generates a secretidentifier I for each content and stores it in its memory 7. Thisidentifier I will subsequently serve to authenticate the source 1 aswill be seen hereinbelow.

[0052] The control word CW is then encrypted with the content key KCW.Next, the encrypted control word E_(KCW) (CW) 4 as well as the secretidentifier I 5 are transmitted from the source to the receiver throughan encrypted communication channel 21.

[0053] It will be noted that throughout the description, the followingnotation is adopted:

[0054] E_(K)(M) represents an operation of encrypting data M with a keyK irrespective of the encryption algorithm used;

[0055] D_(K)(M) represents an operation of decrypting data M with a keyK irrespective of the decryption algorithm used; and

[0056] | represents a data concatenation operation.

[0057] The encrypted communication channel 21 from the source 1 to thereceiver 2 can be created, in a manner known per se, by performingsymmetric or asymmetric encryption of the information which travelsthrough this channel.

[0058] In a first variant embodiment using symmetric encryption, it isassumed that the source 1 and the receiver 2 already possess apre-shared secret key S. The source 1 (but possibly the receiver 2)randomly generates a session key SSK The source 1 encrypts SSK by usingits key S and transmits the result E_(S)(SSK) to the receiver 2. Thereceiver 2 decrypts E_(S)(SSK) by using the preshared secret key S andretrieves SSK. Then, the encrypted control word E_(KCW) (CW) 4 and thesecret identifier I 5 are encrypted with this session key SSK at thelevel of the source 1 before being transmitted to the receiver 2 whichdecrypts them with the aid of the same session key SSK.

[0059] To summarize, the following operations are performed:

[0060] by the source: E_(SSK) (E_(KCW)(CW)|I);

[0061] by the receiver:D_(SSK)(E_(SSK)(E_(KCW)(E_(KCW)(CW)|I))=E_(KCW)(CW)|I.

[0062] In a second variant embodiment using asymmetric encryption, it isassumed that the receiver 2 possesses a private key K_(PRI) _(—) _(R)and public key K_(PUB) _(—) _(R) pair and that it has previouslytransmitted its public key, certified, in a manner known per se, by acertifying authority, to the source 1.

[0063] The source 1 therefore performs the following operation forencrypting the information to be transmitted (which comprises theencrypted control word 4 and the secret identifier I 5) with the publickey of the receiver K_(PUB) _(—) _(R):

E_(K) _(PUB) _(—) _(^(R)) (E_(KCW)(CW)|I)

[0064] On receiving these information items, the receiver 2 thenperforms the inverse operation for decrypting, with its private keyK_(PRI) _(—) _(R), the information items received:

D_(K) _(PRI) _(—) _(^(R)) (E_(K) _(PUB) _(—) _(^(R)) (E_(KCW)(CW)|I))

[0065] It will be noted that the transmission 20 of the scrambled data 3is not necessarily synchronous with the transmission 21 of the encryptedcontrol word 4 and of the secret identifier I.

[0066] When the receiver 2 has received the scrambled data 3corresponding to a content as well as the secret identifier I 5 and theencrypted control word 4 relating to this content, it stores theidentifier I in its memory 8 and it performs an operation 22 forauthenticating the source 1.

[0067] This operation, known in the literature and by the person skilledin the art as the “identification” operation or “entity authentication”operation (see in particular the work “Handbook of applied cryptography,Alfred J. Menezes, Paul C van Oorschot, Scott A. Vanstone, 1997, pages24-25”), is aimed at assuring the receiver 2 that the device which hasjust sent it a content is indeed the source 1 and that the latter isactive at the time that the authentication operation takes place.

[0068] In practice, the receiver 2 authenticates via a protocol, knownto the person skilled in the art as the “challenge-response protocol”,the fact that the source 1 knows the secret identity I associated withthe content received. For example, the receiver 2 sends a random numbern_(i) (also called “challenge”) to the source 1 so that the latterperforms a calculation F(I, n_(i)), where F is a function such that itis impossible to calculate F(I, n_(i)), knowing F, n_(i) and not knowingI. Stated otherwise, only an entity knowing I can calculate F(I, n_(i)).It will in particular be possible to use the function HMAC-SHA-1,described in particular in “Keyed-Hashing for Message Authentication,RFC 2104, February 1997, Krawczyck et al.”, available at the followingInternet address: ftp://ftp.isi.edu/in-notes/rfc2104.txt.

[0069] The result F(I, n_(i)) is sent to the receiver 2 which can thusverify, by calculating F(I, n_(i)) at its end and by comparing theresult with the value received, that the source 1 knows I and is indeedthe entity which sent it the content as well as the informationE_(KCW)(CW)|I.

[0070] It will be noted that if an illicit recording of the streamswhich travel between the source 1 and the receiver 2 is performed, theapparatus which will perform the recording will not have access to thesecret identifier I (transmitted by the encrypted communication channel21) and will therefore be unable to respond correctly to theauthentication operation 22. The receiver will in this case refuse todescramble the scrambled data 3.

[0071] If the source 1 is authenticated by the receiver 2, then thecontent key KCW 6 is transmitted to the receiver in step 23 and it isstored temporarily by the latter in its memory 8. The receiver is thenable to decrypt the control word CW by performing the followingoperation:

D_(KCW) (E_(KCW)(CW));

[0072] then to descramble the data 3 so as to present them to a user.

[0073] Once the content has been presented to the user, the receiver nolonger needs the secret identifier I and the content key KCW and iterases them from its memory 8.

[0074] At the level of the source 1, when the content key KCW 6 has beensent to the receiver 2 (step 23), it is erased from the memory 7 as isthe secret identifier I. It is therefore no longer possible to transmitthese items of information for possible subsequent playback of the datacorresponding to the content transmitted.

[0075] Thus, the aim of the invention is achieved and the datarepresenting the content are read only once by the receiver.

[0076] As a variant, in order to further increase the security of themethod proposed, it is possible to transmit the content key KCW via theencrypted communication channel 21. In this case, it will be noted thatwhen the first variant embodiment of the encrypted channel is used, thesession key SSK is stored by the source 1 and by the receiver 2 in theirrespective memories 7 and 8 until the content key KCW is transmitted,after which the session-key SSK is erased from the memories of thesource and of the receiver.

[0077] In the embodiment just described, the content key KCW and thesecret identifier I are erased from the memory 7 as soon as the contenthas been transmitted from the source 1 to the receiver 2.

[0078] However it is also possible, in a preferred variant of thisembodiment, for the content to have a period of validity during which itcan be transmitted to the receiver or for it to be possibly transmitteda specified number of times from the source to the receiver.

[0079] In the case where the content has a certain period of validity,the information item relating to this period of validity is affixed tothe data representing the content and this information item is stored bythe source 1 at the same time as the content key KCW and the identifierI. Next, when the key KCW 6 has been sent by the source 1 to thereceiver 2 in step 23, a check verifies whether the period of validityof the corresponding content has or has not expired (for example bycomparing this period with an internal clock of the source) and, only inthe case where the period of validity has expired, the key KCW and theidentifier I are erased from the memory 7 of the source. It will also benoted that when the first variant embodiment of the encrypted channel isused, the session key SSK is stored by the source 1 and by the receiver2 in their respective memories 7 and 8 until the period of validity ofthe content has expired.

[0080] In the case where the content can be transmitted a specifiednumber of times to the receiver, this number is affixed to the datarepresenting the content and is stored by the source 1 in a counter, atthe time that the key KCW and the identifier I are stored in the memory7 of the source. This counter will then be decremented each time the keyKCW is sent (step 23) to the receiver 2. When the counter is at zero,the key KCW and the identifier I are erased from the memory 7 of thesource. Moreover, as above, when the first variant embodiment of theencrypted channel is used, the session key SSK is stored by the source 1and by the receiver 2 in their respective memories 7 and 8 until theaforesaid counter is equal to zero.

[0081] We shall now describe, in conjunction with FIGS. 2 to 4, a secondembodiment of the invention.

[0082] Represented in FIG. 2 is a domestic digital network containing anaccess device 10 linked by a bidirectional digital bus 40, preferably abus according to the IEEE 1394 standard, on the one hand to apresentation device 12 and on the other hand to a digital recordingdevice 13.

[0083] The access device 10 constitutes the source of the data in thenetwork or the point of entry of any content 30 to the network. It isfor example a digital decoder which receives digital data broadcast bysatellite, over the airwaves (or terrestrially) or by cable. It may alsobe an optical disc reading apparatus broadcasting over the digitalnetwork data read from a disc, in particular a DVD (standing for“Digital Versatile Disc”). It may also be an apparatus adapted toreceive data from the Internet by real-time downloading (also known as“streaming”), that is to say while viewing the content as and whenloaded.

[0084] Naturally, even if just one access device is represented in FIG.2, a domestic digital network can contain several devices of this typewhich each constitute sources broadcasting digital contents over the bus40.

[0085] The presentation device 12 makes it possible to transform thedigital data received from the bus 40 into a signal representative ofthe content intended to be presented to an end user. It is for example adigital television or a loudspeaker.

[0086] The digital recording device 13 is, for its part, capable ofrecording the data streams which flow around the bus 40 so as to replaythem subsequently. It is for example a digital video recorder, a harddisk type storage device or an apparatus capable of recording opticaldiscs of the DVD type.

[0087] Naturally, the domestic digital network can also contain severalpresentation devices as well as several recording devices.

[0088] Moreover, even if the three types of devices mentioned above havebeen represented separately, it is entirely possible for one and thesame apparatus to contain two types of devices, or even three. Forexample, a digital television can contain a built-in decoder able todirectly receive a content from outside the network. In this case, theinvention will apply in the same way except that the digital data willtravel via an internal bus to the apparatus (between the part of theapparatus constituting the access device and the part constituting thepresentation device) instead of travelling via the bus 40.

[0089] Preferably, the access device 10 and the presentation device 12each possess a smart card reader adapted to receive a card 14 and a card15 respectively. Each of the smart cards 14, 15 includes a secureprocessor which, as is well known to the person skilled in the art,allows secure storage of data such as cryptographic keys. The usefulnessof the smart cards 14 and 15 will be explained subsequently.

[0090] The content 30 which is received by the access device 10preferably consists of packets of digital data scrambled by controlwords denoted CW as is commonly used in the broadcasting of pay-per-viewdigital television programmes. The control words CW are periodicallyrenewed and are stored in control messages denoted ECM (standing for“Entitlement Control Message”), which are affixed to the correspondingscrambled data packets.

[0091]FIG. 3 diagrammatically illustrates the content of a data packet300 representing the content 30. This data packet includes scrambleddigital data 302 and a control message ECM 301 which contains thecontrol word CW used to scramble the data. Naturally, a content, inparticular a video sequence belonging to a televised programme, isformed of a succession of data packets of the type of the packet 300. Itwill also be noted that generally, the messages ECM containing thecontrol words which served to scramble digital data are transmitted inadvance, in the data stream, relative to the data scrambled with thesecontrol words.

[0092] If the content 30 received by the access device 10 is not alreadyin the form described above, it is converted by the access device so asto consist of data packets as illustrated in FIG. 3.

[0093] It will be noted, moreover, that the digital data representingthe content 30 contain copy control information items defining thestatus of the data with regard to copying. These information items arepreferably inserted into the ECM messages and define, as was seen above,four possible states:

[0094] copying authorized (“copy free”);

[0095] a single generation (or a given number of generations) of copyingauthorized (“copy once” or “copy N times”);

[0096] no more copying authorized (“copy no more”);

[0097] copying never authorized (“copy never”).

[0098] The protocol according to the invention, as described below inconjunction with FIG. 4, makes it possible to guard against databelonging to the last two categories above (data of the “copyingunauthorized” type) from being copied when they are transmitted from theaccess device 10 to the presentation device 12.

[0099] Moreover, other information items may be affixed to the datarepresenting the content 30:

[0100] an information item relating to the period of validity of thedata, that is to say the period during which they can be transmittedfrom the access device 10 to the presentation device 12; and/or

[0101] an information item relating to the number of times the data canbe transmitted from the access device 10 to the presentation device 12.

[0102] Represented in FIG. 4 by two downward vertical axes t is the timeaxis so as to illustrate the processing operations performed by theaccess device 10 and the presentation device 12 as well as the exchangesbetween these devices when a new content 30 is to be broadcast over thedomestic digital network.

[0103] During a first step 100, the access device 10 detects, as afunction of the copy control information items inserted into the data,whether the content is such that copying is unauthorized.

[0104] If copying of the content is authorized, then the data aretransmitted in a conventional manner over the network. If, on the otherhand, the content received is of the “copying unauthorized” type, thenthe access device generates, in step 101:

[0105] a first random number R which constitutes an ephemeral encryptionkey which will be referred to as the “content key” in the subsequentdescription, and

[0106] a second random number K which constitutes an ephemeralauthentication key which will be referred to for greater convenience asthe “authentication key” in the subsequent description.

[0107] K and R are generated, for each content 30 received, by apseudo-random number generator such that the probability of generatingthe same content key value R or authentication key value K twice is verylow.

[0108] The content key R and the authentication key K are storedtemporarily by the access device 10 which erases them, as will be seenbelow, once the content has been fully transmitted to a presentationdevice, possibly after the expiry of a period of validity of the contentor after the latter has been transmitted a specified number of times toa presentation device 12.

[0109] If an information item relating to the period of validity of thecontent is affixed to the data, this information item is also stored bythe access device 10 before or after step 101.

[0110] Likewise, if an information item indicating the number of timesthe content can be transmitted to a presentation device is affixed tothe data, this information item is stored in a counter by the accessdevice 10 before or after step 101.

[0111] Then, for each message ECM included in the data streamconstituting the content, the access device 10 extracts the control wordCW and performs, in step 102, the following operation for encryptingthis control word with the content key R:

[0112] CW ⊕ R; where ⊕ represents the “exclusive OR” operation (or“XOR”).

[0113] The encrypted control word CW ⊕ R as well as the authenticationkey K are inserted into the message ECM in place of the initial controlword. The message ECM thus transformed is denoted LECM. The message LECMcomprises in particular the copy control information items which, in thepresent case, indicate that this content is of the “copyingunauthorized” type.

[0114] The message LECM is then encrypted, in step 103, so as to betransmitted in a secure manner to the presentation device 12.

[0115] In a first preferred variant, asymmetric encryption will be used.It is assumed that as is described in the aforesaid French PatentApplication FR-A-2 792 482 from the applicant, the domestic digitalnetwork possesses a private key K_(PRI) _(—) _(RES) and public keyK_(PUB) _(—) _(RES) pair and that each access device 10 of the networkcontains the public key K_(PUB) _(—) _(RES) of the network and eachpresentation device 12 contains the private key K_(PRI) _(—) _(RES) ofthe network. The recording device 13 contains neither the public key northe private key of the network.

[0116] According to this preferred embodiment, the message LECM isencrypted by the access device 10 with the public key of the network byperforming the following operation:

E_(K) _(PUB) _(—) _(^(RES)) (LECM)

[0117] The presentation device 12 can then decrypt this message with theprivate key of the network by performing the operation:

D _(K) _(PRI) _(—) _(^(RES)) (E _(K) _(PUB) _(—) _(^(RES)) (LECM))=LECM

[0118] It is also possible, in a second variant, for each presentationdevice 12 of the network to possess its own private key K_(PRI) _(—)_(PD) and public key K_(PUB) _(—) _(PD) pair. In this case, thepresentation device 12 which wishes to receive a content of the “copyingunauthorized” type from an access device 10 sends its public key K_(PUB)_(—) _(PD) to this device beforehand. The message LECM is thenencrypted, in step 103, with this public key K_(PUB) _(—) _(PD) byperforming the operation:

E_(K) _(PUB) _(—) _(^(PD)) (LECM)

[0119] The presentation device 12 then decrypts this message byperforming the operation:

D _(K) _(PRI) _(—) _(^(PD)) (E _(K) _(PUB) _(—) _(^(PD)) (LECM))=LECM.

[0120] In a third variant, it is possible to encrypt the message LECM byusing symmetric encryption. For example, each access device 10 and eachpresentation device 12 of the network contains a secret key of thenetwork K_(S) _(—) _(RES). The message LECM is in this case encrypted bythe access device with the secret key of the network by performing theoperation:

E_(K) _(S) _(—) _(^(RES)) (LECM)

[0121] It can then be decrypted by the presentation device 12 byperforming the operation:

D _(K) _(S) _(—) _(^(RES)) (E _(K) _(S) _(—) _(^(RES)) (LECM))=LECM

[0122] Finally, it is furthermore possible, in a fourth variant, toencrypt the message LECM according to a symmetric encryption algorithmby using a pre-shared secret key.

[0123] In the subsequent description it will be assumed that the messageLECM has been encrypted, in step 103, with the public key K_(PUB) _(—)_(RES) of the network as this is described in the first preferredvariant above.

[0124] In the next step 104, the data packet 305 containing theencrypted message LECM and corresponding scrambled data is despatched onthe bus 40 of the domestic network in the synchronous channel of theIEEE 1394 bus, which channel customarily transports the data compressedaccording to the MPEG 2 standard (ISO/IEC 13818-1).

[0125] This despatch is a broadcast over the network, that is to say allthe presentation devices 12 which are attached to the bus 40 are able toreceive the data packet 305.

[0126] When a presentation device 12 receives the packet 305, in step105, it decrypts the message LECM with the private key of the networkK_(PRI) _(—) _(RES) as was seen above according to the first preferredvariant embodiment of the invention.

[0127] This having been done, it detects whether the scrambled databelong to a content of the “copying unauthorized” type and, in thiscase, obtains the encrypted control word CW ⊕ R as well as theauthentication key K which it stores temporarily.

[0128] In the next step 106, with the aim of authentication of theaccess device 10 which has despatched the packet 305 over the network,the presentation device 12 generates a random number R_(i) and itdespatches it to the access device 10 (step 107) using the asynchronouschannel of the bus 40 (the despatch via the asynchronous channel of thebus 40 is represented by a dashed arrow in FIG. 4). The communicationvia the asynchronous channel of the bus is a communication of the“point-to-point” type, that is to say between two aforesaid devices ofthe network. Moreover, the asynchronous channel of the bus 40 exhibitsthe particular feature of not being able to be recorded by theconventional recording devices such as the device 13.

[0129] In step 108, when the access device 10 receives the number R_(i),it performs the following calculation:

h _(i) =MAC _(K)(R _(i)),

[0130] where “MAC_(K)(x)” represents a “Message Authentication Code” forthe message x using a key K. For further details regarding “MACs” referto the work “Handbook of applied cryptography, Alfred J. Menezes, PaulC. van Oorschot, Scott A. Vanstone, 1997, page 325”.

[0131] The function alluded to previously HMAC-SHA-1 will preferably beused for the calculation of h_(i).

[0132] In the next step 109, the access device 10 despatches, via theasynchronous channel of the bus 40, the content key R as well as theresult of the calculation h_(i)=MAC_(K)(R_(i)) to the presentationdevice 12.

[0133] The latter then performs, in step 110, the following calculation:

[0134] h′_(i)=MAC_(K)(R_(i)) using the number R_(i) generated in step106 and the authentication key K obtained by decrypting the message LECMin step 105.

[0135] If h′_(i) is different from the number h_(i) received from theaccess device 10, then the presentation device 12 does not continue anyfurther with the process. A message is for example displayed for theattention of the user (if the presentation device comprises a displayscreen) so as to forewarn the latter that the content cannot be viewed(or listened to).

[0136] If on the other hand h′_(i)=h_(i) then the access device 10 isauthenticated. In this case, the presentation device 12 uses the contentkey R received to decrypt the control word CW by performing (step 111)the operation:

CW ⊕ R ⊕ R=CW.

[0137] The presentation device 12 can then descramble the data with thecontrol word CW (step 112) and present the data to the user.

[0138] Steps 102 to 112 are repeated so as to transmit each data packet300 forming the content. Next, in the following step 113, thepresentation device 12 erases from its memory the content key R and theauthentication key K which it had stored temporarily so as to performthe above calculations.

[0139] Once all the data packets (and the corresponding control wordsCW) forming the content have been transferred from the access device 10to the presentation device 12, three variant embodiments are possible.

[0140] According to a first variant embodiment, the content key R andthe authentication key K are immediately erased, in step 115, from thememory of the access device 10 so that these data can no longer betransmitted to a presentation device for possible “replay” of thecontent.

[0141] According to a second variant embodiment, it is assumed that aninformation item relating to the period of validity of the content wasaffixed to the data representing the content and has been stored by theaccess device 10 before or after step 101. In this case, during step 114a, a test is performed to verify whether the period of validity of thecontent has expired. If the response to the test 114 a is positive, thenthe content key R and the authentication key K are erased from thememory of the access device 10 during step 115. If conversely theresponse to test 114 a is negative, then the content key R and theauthentication key K are preserved in the memory of the access device 10until the expiry of the period of validity of the content.

[0142] According to a third variant embodiment, it is assumed that aninformation item indicating the number of times that the content can betransmitted to a presentation device was affixed to the data. Thisinformation item has been stored (before or after step 101) by theaccess device 10 in a counter which will be denoted as the “counter ofaccess to the content”. In this case, during a step 114 b 1, the counterof access to the content is decremented. Next, during a step 114 b 2, atest is performed to ascertain whether the counter of access to thecontent is at zero. If the response to this test 114 b 2 is positive,then the content key R and the authentication key K are erased from thememory of the access device 10 during step 115. If conversely theresponse to test 114 b 2 is negative, then the content key R and theauthentication key K are preserved in the memory of the access device 10in such a way as to allow a presentation device to access the contentsubsequently.

[0143] It will be noted that an advantage of the invention is that itallows several presentation devices attached to the domestic digitalnetwork to simultaneously access a content broadcast by an access deviceover the bus 40. In this particular case, the protocol just described inconjunction with FIG. 4 is executed in parallel between the accessdevice and the various presentation devices (which share in particularthe content key R and the authentication key K).

[0144] It will also be noted that, preferably, the operations performedin steps 100 to 115 just described are not implemented directly by theaccess device 10 or by the presentation device 12 but by the secureprocessors of the smart cards 14 and 15 which are inserted intorespective card readers of the access device 10 and of the presentationdevice 12.

[0145] This solution offers enhanced security since it is almostimpossible to access the data (such as the keys K and R in our example)contained in a smart card.

1. Method for transmitting digital data representing a content from asource (1, 10) to a receiver (2, 12) through a digital communicationchannel, the digital data being scrambled by at least one control word(CW), characterized in that it comprises the steps consisting for thesource in: (a) generating an ephemeral encryption key (KCW, R) storedtemporarily by the source (1, 10); (b) encrypting said control word (CW)using said encryption key; (c) transmitting to the receiver (2, 12); thescrambled digital data; and the encrypted control word, the latter beingtransmitted through an encrypted communication channel (21) between thesource and the receiver; (d) responding to an operation (22) ofauthentication of the source by the receiver and, when the source isauthenticated by the receiver, transmitting said encryption key to thereceiver; (e) erasing the encryption key (KCW, R).
 2. Method accordingto claim 1, characterized in that a new ephemeral encryption key (KCW,R) is generated randomly by the source (1, 10) for each contenttransmitted.
 3. Method according to one of claims 1 or 2, characterizedin that an information item relating to the period of validity of thedigital data to be transmitted is affixed to said data and in that step(e) is performed after the expiry of said period of validity.
 4. Methodaccording to one of claims 1 or 2, characterized in that an informationitem indicating the number of times the content can be transmitted to areceiver is affixed to said data, the information item being storedtemporarily by the source in a counter of access to the content and inthat, before step (e): the counter of access to the content isdecremented; and a test is performed to verify whether the counter ofaccess to the content is equal to zero; step (e) being executed only inthe case of a positive response to the test.
 5. Method according to oneof the preceding claims, characterized in that it furthermore includes,before or after step (a), a step consisting in generating an ephemeralauthentication key (I, K), the authentication key being transmitted tothe receiver, in step (c), through the encrypted communication channel.6. Method according to claim 5, characterized in that a new ephemeralauthentication key (I, K) is generated randomly by the source (1, 10)for each content transmitted.
 7. Method according to one of claims 5 or6, characterized in that step (d) comprises the substeps consisting in:(d1) receiving a random number (n_(i), R_(i)) from the receiver (2, 12);(d2) performing a calculation (F(I, n_(i)), MAC_(K)(R_(i))) on the basisof said random number and of said authentication key (I, K); and (d3)transmitting the result of the calculation (F(I, n_(i)), MAC_(K)(R_(i)))to the receiver (2, 12).
 8. Method according to claim 7, characterizedin that the encryption key (R) is transmitted to the receiver with theresult of the calculation (MAC_(K)(R_(i))) in substep (d3).
 9. Methodaccording to one of the preceding claims, characterized in that theencryption key is transmitted to the receiver, in step (d), through theencrypted communication channel.
 10. Method for transmitting digitaldata representing a content from a source (1, 10) to a receiver (2, 12)through a digital communication channel, the digital data beingscrambled by at least one control word (CW), characterized in that itconsists for the receiver in: (i) receiving the scrambled digital data;(j) receiving the control word encrypted using an encryption key (KCW,R), said encrypted control word being transmitted through an encryptedcommunication channel (21) between the source and the receiver; (k)performing an operation (22) of authentication of the source and, whenthe source is authenticated by the receiver: receiving and temporarilystoring said encryption key; decrypting said control word with theencryption key; descrambling, with the aid of the decrypted controlword, said digital data so as to transform them into a signal able to bepresented to a user; and erasing said encryption key.
 11. Methodaccording to claim 10, characterized in that an ephemeral authenticationkey (I, K) is furthermore received in step (j), said authentication keybeing transmitted through the encrypted communication channel. 12.Method according to claim 11, characterized in that the authenticationoperation performed in step (k) comprises the substeps consisting in:(k1) generating a random number (n_(i), R_(i)); (k2) sending said randomnumber (n_(i), R_(i)) to the source (1, 10); (k3) receiving from thesource the result of a calculation (F(I, n_(i)), MAC_(K)(R_(i)))performed on the basis of the random number (n_(i), R_(i)) and of theauthentication key (I, K); and (k4) verifying the result of saidcalculation (F(I, n_(i)), MAC_(K)(R_(i))) on the basis of the randomnumber generated in step (k1) and of the authentication key received instep (j).
 13. Method according to claim 12, characterized in that theencryption key (R) is received by the receiver with the result of saidcalculation (MAC_(K)(R_(i))) in substep (k3).
 14. Method according toany one of the preceding claims, characterized in that copy controlinformation items are fixed to the digital data to be transmitted and inthat steps (a) to (e) of the method according to claims 1 to 9 and steps(i) to (k) of the method according to claims 10 to 13 are implementedonly if the copy control information items indicate that the digitaldata are of “copying unauthorized” type.
 15. Method according to one ofthe preceding claims, characterized in that it is implemented in adomestic digital network between a device (10) for access to a contentand a device (12) for presentation of the content, and in that thedigital communication channel is formed of a digital bus (40) to whichsaid access device (10) and said presentation device (12) are attached.16. Method according to claim 15, characterized in that, in step (c) ofthe method according to claims 1 to 9 and in steps (i) and (j) of themethod according to claims 10 to 13, the scrambled digital data and theencrypted control word travel via the synchronous channel of saiddigital bus (40), the encrypted control word being contained in amessage (LECM) which is encrypted with a public key of the domesticdigital network.
 17. Method according to claim 15, taken in combinationwith claim 7 or with claim 12, characterized in that, in substeps (d1)and (d3) of the method according to claim 7 or in substeps (k2) and (k3)of the method according to claim 12, the random number (R_(i)) and theresult of the calculation (MAC_(K)(R_(i))) travel via the asynchronouschannel of said digital bus (40).
 18. Method according to one of thepreceding claims, characterized in that steps (a) to (e) of the methodaccording to claims 1 to 9 are implemented in a removable securitymodule (14) attached to the source (10) and steps (i) to (k) of themethod according to claims 10 to 13 are implemented in a removalsecurity module (15) attached to the receiver (12).